With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages. Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount. Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis. Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.” Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified. For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use. Section 1798.150(a)(1). Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out. Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit. Section 1798.150(b)(3). The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

SB211 was signed into law largely to “technically correct” errors in the law but nevertheless made two significant changes to Section 1798.150 when it removed the prior requirement that consumers notify the Attorney General prior to bringing any action for a data breach and removed the prior requirement that the Attorney General could bar consumer plaintiffs from bringing suit. These two significant changes will certainly make for a very interesting class action year in 2020.

On June 22, 2018, the United States Supreme Court ruled that obtaining cell-site location information without a probable cause warrant violates the Fourth Amendment despite the fact there were no actual associated property rights in the data. In writing for the majority, Chief Justice Roberts sided with the liberal wing of the Court and against those Justices looking to affirm the robbery conviction in question. Justice Gorsuch’s Dissent correctly points out, however, that the “most promising line of argument” available to Carpenter was not well-developed by Carpenter, namely that he had positive property rights in his geo-location data. Gorsuch, J., Dissent at 21. Instead, the Majority ruled there was a reasonable expectation of privacy in the data in question despite the lack of any available property rights.

This decision could have been a potential clarion call regarding privacy rights well beyond that found in a Fourth Amendment context. Instead of confirming the data’s true value – again, as a positive property right, the Majority determined that a third-party’s access and consent to use the data in question did not negate the data’s ability to give rise to a reasonable expectation of privacy – in effect, carefully distinguishing the so-called third party doctrine previously applied by the Court. In so doing, the Majority carefully parsed precedent on this issue – now giving it a second tier analysis status, rather than outright reject it as apparently sought by Justice Gorsuch in his Dissent. Gorsuch, J., Dissent at 5 – 8.

Recognizing the contortions taken by the Majority, Justice Alito fairly screamed for Congressional intervention given this perceived affront to existing Fourth Amendment precedent. Alito, J., Dissent at 27 (“Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”).

On April 17, 2018, the Court previously dismissed another matter involving application of the Stored Communications Act and “rapidly changing technology” given Congressional intervention on the issue rendered moot the question before the Court. Given that the Carpenter Majority’s Constitutional analysis may leave little room for future Congressional intervention, subsequent courts will have to grapple with deciphering the potential import of this decision – a decision with a remarkable four separately written dissents.

For example, what exactly constitutes a “a comprehensive chronicle” of defendant’s past movements or how will heretofore unknown future non-property “privacy rights” give rise to a reasonable expectation of privacy? Justice Gorsuch was correctly very much concerned about the uncertainty springing from this decision. SeeGorsuch, J., Dissent at 12 (“In the end, our lower court colleagues are left with two amorphous balancing tests, a series of weighty and incommensurable principles to consider in them, and a few illustrative examples that seem little more than the product of judicial intuition.”).

Despite how the Court in Carpenter references location-based tracking as some sort of newfound innovation, location-based tracking has been a percolating privacy issue for more than seven years. To that end, even though privacy advocates and criminal defense lawyers may very well bask in this decision for years to come, by the Court not clearly ruling how certain privacy rights can give rise to a positive property right under the Fourth Amendment, privacy advocates may have actually lost a more impactive battle they could have won.

More specifically, if the ACLU – on behalf of Mr. Carpenter, had fully argued the more appropriate positive law approach discussed by Justice Gorsuch we may all be reading a 6-3 decision that found privacy rights in data can indeed give rise to property rights under the Fourth Amendment. Gorsuch, J., Dissent at 21 (“Before the district court and court of appeals, Mr. Carpenter pursued only a Katz“reasonable expectations” argument. He did not invoke the law of property or any analogies to the common law, either there or in his petition for certiorari. Even in his merits brief before this Court, Mr. Carpenter’s discussion of his positive law rights in cell-site data was cursory. He offered no analysis, for example, of what rights state law might provide him in addition to those supplied by §222. In these circumstances, I cannot help but conclude — reluctantly — that Mr. Carpenter forfeited perhaps his most promising line of argument.”). For now, privacy advocates will have to be satisfied with the actual ruling before them – one that leaves the door quite open to future expansions of the “reasonable expectation of privacy”.

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR. According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals. Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question. According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”. Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Mr. Schrems’ most recent actions go at the heart of the current online advertising duopoly and his actions against Facebook and Google should be taken seriously by them given Schrems’ prior successes and the fact he may very well be correct in his assessment of GDPR – a privacy regime that is purposefully ambiguous in the area of consent.

On April 30, 2018, the United States Supreme Court granted certiorari so that it could determine whether a settlement in a privacy class action against Google was “fair, reasonable, and adequate” when the roughly $5 million settlement only went to cy pres recipients rather than actual class members. Specifically, the Court is to decide:

Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be “fair, reasonable, and adequate.”

As is often the case, the devil is in the details. First, the fact “controls and protections” found on a Facebook account may be similar around the globe – as was the case before Ms. Egan’s blog post, does not mean the privacy laws protecting Facebook users have remained the same. Quite the contrary is true given that the choice of law provision applicable to Facebook’s users was just amended from Facebook’s low-tax home domicile of Ireland to the non-GDPR land of California – expressly now leaving about 1.5 billion users potentially outside the purview of the GDPR. When asked by Ars Technica why the choice of law provision was changed, Facebook purportedly said “the change had been made in the name of the companies’ business interests. The company declined to elaborate further.”

Second, neither Facebook’s new Terms of Service nor its new Data Policy – both last revised on April 19, 2018, define the word “you” or “your”. As well, the revised Data Policy expressly gives Facebook broad latitude in its use of undefined user “information”:

We use the information we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps, and services.

If the undefined “you” in Facebook’s agreements differs from the composite “you” created by Facebook that is pseudonymized, repurposed and then sold to advertisers, one could never tell from any of Facebook’s agreements. Interestingly, Recital 78 and Article 25 of the GDPR expressly consider “pseudonymising personal data” a best practice for companies developing Privacy by Design compliance initiatives. Under the GDPR, pseudonymized data can even be processed for purposes different from which the data was originally collected. The only problem with the GDPR’s exalting of pseudonymizing is that companies now oftentimes discover the sovereign identity “you” when provided information concerning the composite “you” that is pseudonymized by Facebook.

It would have been comforting if Facebook’s auditors were on top of this longtime “nudge wink” between Facebook and the advertising industry. Unfortunately, they are not. In an April 18, 2018 paper titled, “Understanding and Improving Privacy “Audits” under FTC Orders”, author Megan Gray points out that Facebook’s FTC audit assessments are circular – “Management asserts it has a reasonable privacy program. Based on management’s assertion, we certify that the company has a reasonable privacy program.”

In effect, this audit process ultimately renders Facebook’s assessments “almost indecipherable” and “requiring certified-auditor knowledge.” As correctly summed up by Gizmodo, “[t]he current process essentially allows companies under consent orders to self-regulate.” Accordingly, it is no surprise that PwC’s auditing cleared Facebook’s privacy practices “in an assessment completed last year of the period in which data analytics consultancy Cambridge Analytica gained access to the personal data of millions of Facebook users”.

Notwithstanding its aptitude for parsing words, Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread. Even though no one can say with certainty how things will play out after the GDPR’s formal launch on May 25, 2018, one thing is sure – Facebook has very publicly committed to GDPR compliance. And, to the extent there are failings in such compliance, there are more than a handful of class counsel and global governmental agencies ready to pounce on Facebook and its partners.

On April 10, 2018, Facebook’s CEO began his two-day testimony before Senate and House Congressional committees in a quintessential US setting but may have brought with him a groundbreaking privacy regime from across the Atlantic in the process. Mr. Zuckerberg testified: “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.” The Net Neutrality regulations Zuckerberg may have had in mind may not be what is ultimately in store for Facebook.

The GDPR harmonizes to a great degree the privacy laws of every EU country and broadly controls the use of personal data in connection with either the offering of any goods or services to persons in the EU or the monitoring of EU-based persons. Companies must ensure that they only collect and process the minimum required personal data for the express use given under an unequivocal affirmative consent. The new consent requirements found in the GDPR bring this privacy regime to compliance levels never before seen.

Companies that collect and use personal data must now clearly explain to data subjects the exact uses made of such personal data – with evidence maintained that demonstrate related processes are compliant and followed in each individual case. Persons must also be afforded the opportunity to easily withdraw their consent to this use of personal data at any time and without suffering any detriment as a result of their request. Moreover, persons protected under the GDPR have a right to be forgotten, i.e., all their personal data deleted, and a right to reject any data profiling.

Not unlike rights under 15 U.S.C. § 1681c of the Fair Credit Reporting Act when it comes to credit information, persons will also have the right to have their personal data amended and rectified and the right to be informed as to what personal data is currently being retained or used. Unfortunately, getting Facebook to comply with these subject-access requests has previously been a difficult task. Some have argued that the right to be forgotten – which is actually now more properly termed a “right to erasure”, can only work when GDPR becomes a global privacy regime having “globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation.”

A “serious breach” of GDPR requirements may result in a fine of up to 4% of the annual worldwide revenue of the impacted company – with the minimum fine set at €20 million. Disregarding the potential lack of enforceability for this extra-jurisdictional law, companies have been prepping for the GDPR privacy regime for years. Indeed, given the potential downside, multi-national companies based in the US have not surprisingly spent millions of dollars on their GDPR compliance efforts.

Under the GDPR, the EU is for the first time in line with the US as regards data breach notification – but with a uniform and much stricter obligation to notice regulatory authorities within 72 hours of a breach. Given Alabama has recently enacted its own data breach notification law – one that requires notification within 45 days of a breach if the breach is reasonably likely to cause “substantial harm” to the individual to whom the information relates, all fifty US states now have a data breach notification law. Nevertheless, the current patchwork standard for breach notice in the US is far from uniform and certainly much less onerous than the blanket one set forth in the GDPR.

GDPR and Facebook

As set forth on its website, “Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. . . Facebook may serve as a data processor. When Facebook acts as a data processor, businesses are responsible for ensuring data they share with us complies with the GDPR.” As a data processor who employs more than 250 persons, Facebook is obliged under GDPR to keep detailed records of all of their processing activities. In other words, GDPR opens up the door to accessing Facebook’s vast data mining activities only hinted at by the recent Cambridge Analytica brouhaha.

On April 11, 2018, Mark Zuckerberg testified before the House Energy and Commerce Committee that GDPR “will be positive” and that requiring companies obtain “affirmative consent” makes sense. According to Mr. Zuckerberg, there are a few parts of GDPR that are “important and good”. For example, users should know what data companies have and users should be able to control this data. When asked if GDPR got anything wrong, however, he could not answer the question and simply said he would have to “think about it”. He was asked to provide his response to the House Energy and Commerce Committee at a later date.

Not waiting for Senators Kennedy and Thune to act, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) – two longtime privacy advocates, announced on April 10, 2018 their Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act – proposed legislation requiring the Federal Trade Commission (FTC) to establish specific privacy protections “for customers of online edge providers like Facebook and Google.” Among other things, the CONSENT Act would require that these “edge providers” obtain opt-in consent from users “to use, share, or sell users’ personal information” as well as notify users about “all collection, use, and sharing of users’ personal information.” Although on its face the proposed law is not nearly as onerous as the GDPR privacy regime, there is nothing stopping the FTC from promulgating future regulations that not only include opt-in consent and use disclosures but also GDPR requirements that would never had been on the table before Mr. Zuckerberg began his unsworn testimony before Congress.

In a prior interview with the Washington Post, Senator Markey said: “I think that this [Facebook] privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico. Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”

GDPR, Facebook, Congress and the Monetization of Consumer Data

On the heels of recent comments from Facebook’s COO regarding the possibility Facebook might one day charge users a fee, Zuckerberg left the door open to the possibility of charging consumers for use of its social media platform. During his April 11, 2018 House testimony, Zuckerberg again denied that Facebook sells its user data, saying: “That’s not how advertising works.” A day earlier Zuckerberg repeated numerous times that Facebook did not sell consumer data – prodding Sen. John Cornyn (R-Texas) to exclaim: “You clearly rent it!” No matter how Mr. Zuckerberg perceives advertising as working or whether or not Facebook actually “sells” consumer data, one takeaway from these hearings is that perception can quickly morph into reality.

Apple’s Tim Cook jumped for higher ground during Zuckerberg’s testimony and publicly said Apple – unlike Facebook, does not monetize its customers and would welcome legislative solutions. Specifically, Cook said: “The truth is, we could make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”

Apple’s perspective is either surprisingly narrow or deliberately pinched. Obviously, the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day. Accordingly if Facebook loses revenue due to legislative intervention, Apple will likely not be far behind.

Unbridled data consumption and privacy protection can successfully coexist when immutable and transparent data is bound by a secure and continuous unequivocal affirmative consent. In essence, user data must be treated like a protected commodity that can actually benefit the owner. Indeed, Congresswoman Debbi Dingell (R., Mi.) ended her April 11, 2018 questioning of Zuckerberg by opining that data protection was no less important than having “clean air and clear water”. A company that is able to keep “pure” a user’s data while feeding such data into various digital media ecosystems and compensating the data owner in the process will have found the middle ground previously consciously avoided by existing billion-dollar platforms.

In his February 8, 2018 opinion piece, Santander’s Julio Faura suggests that “utility tokens are a bad idea” because it would be a “lie to ourselves” to suggest ICOs were not actually selling securities. Rather, in Mr. Faura’s opinion “we should collectively work on a framework to build a clearly defined scheme for ICOs, recognizing from the very beginning that they are securities.” And, this “ICO process should be designed in collaboration with regulators to comply with securities law.” Mr. Faura’s opinion piece does not exist in a vacuum. In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments – which ties to Mr. Faura’s underlying premise that ICOs should be regulated “to protect investors”.

It is not clear how his proposed hybrid solution would ever get implemented given it requires complete buy-in from capital markets and regulators so would be a non-starter from day one – why would existing financial institutions and regulators scuttle existing methods of raising capital or attempt to squeeze ICOs under traditional securities law even if considered a sale of securities? Answer: They would not. Ripple – a company partially funded by Santander InnoVentures, offers a glimpse on how traditional financial markets will compete using blockchain technology.

One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for a utility token that raised $35 million in under a minute’s time. This “BAT utility token” creates a digital advertising ecosystem tied to consumer attention – which is why it is the “Basic Attention Token”. Such ecosystem would certainly be an upgrade from the current digital advertising scheme wedded to the Web ecosystem of 1995.

Recent public SEC statements seem to back this interpretation of their ICO position. On February 6, 2018, SEC Chairman Jay Clayton recently testified that the potential derived from blockchain was “very significant” – his co-witness, CFTC Chairman Christopher Giancarlo, went so far as to say there was “enormous potential” that “seems extraordinary” for blockchain-based businesses. Yet, during his testimony, Chairman Clayton said the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security. This is consistent with prior messaging given that Chairman Clayton requested on December 11, 2017 that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws. The fact some 2017 ICOs raising hundreds of millions of dollars were not addressed by the SEC, however, provides a clear “nudge wink” that not all ICOs come under SEC regulatory control.

As with BAT, in the future, there will likely be many more utility tokens built on disruptive blockchain initiatives that escape SEC scrutiny given they are not perceived as securities. The fact that the SEC has not yet moved on them – despite moving against Munchee, Inc. weeks after the Munchee MUN offering, signals the SEC will temper its enforcement activities when faced with a disruptive blockchain initiative that begets true intrinsic value. In other words, utility tokens may very well be a good idea after all.

Their testimony provides helpful insight regarding the enforcement direction these agencies will take in the coming months. According to Chairman Clayton, in 2017 there was $4 billion raised in ICOs -with an unknown amount being sold in the US. He was generally “very unhappy with ICOs” and mentioned that the SEC was “working the beat hard” to crack down on them. Accordingly, ICOs are in the “crosshairs of enforcement” and tellingly he testified that “every ICO [he has] seen is a security” subject to enforcement. This testimony is consistent with prior SEC pronouncements given that Chairman Clayton previously requested that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws. During his testimony, Chairman Clayton repeated several times that the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.

According to Chairman Clayton, the definition of a security is broad and will turn on whether someone can profit from efforts going forward by buying the token and then trade it with someone else for further profit. Both Chairmen recognized that no one agency has any direct oversight of virtual currencies and welcomed efforts from Congress to draft new legislation that would help with their coordination efforts.

In probably the most interesting exchange during their two-hour testimony, Senator Mark Warner of Virginia recognized that the SEC went after certain ICO promoters but not others so directly asked Chairman Clayton whether the SEC “will go back [to scrutinize prior ICOs]?” Correctly avoiding that question – given it requests insight as to future SEC enforcement efforts, Chairman Clayton instead offered that the SEC is counting on lawyers and accountants to also act as “gatekeepers” for future ICOs.

Chairman Clayton’s testimony came on the heels of the SEC’s Cease and Desist Order in the Munchee, Inc. matter that may have closed the lid on many planned 2018 ICO’s given the stringent standard set forth in that SEC Order. By way of background, Munchee created an iPhone application for people to review restaurant meals. In October and November 2017, Munchee offered and then sold purported utility tokens issued on the Ethereum blockchain. “Munchee conducted the offering of MUN tokens to raise about $15 million in capital so that it could improve its existing app and recruit users to eventually buy advertisements, write reviews, sell food and conduct other transactions using MUN.” Order at 1.

In deeming the MUN utility token a “security” subject to SEC oversight, the SEC made the following finding of fact in its December 11, 2017 Order:

Purchasers had a reasonable expectation that they would obtain a future profit from buying MUN tokens if Munchee were successful in its entrepreneurial and managerial efforts to develop its business. Purchasers would reasonably believe they could profit by holding or trading MUN tokens, whether or not they ever used the Munchee App or otherwise participated in the MUN “ecosystem,” based on Munchee’s statements in its MUN White Paper and other materials. Munchee primed purchasers’ reasonable expectations of profit through statements on blogs, podcasts, and Facebook that talked about profits.

There remains hope for future ICOs given that the SEC is certainly not going after them all. One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for an Ethereum utility token that raised $35 million in under a minute’s time. SeeFAQ (“We and our counsel at Perkins-Coie are confident that the Basic Attention Token is properly classified as property with utility on the platform we are building, and not a security.”). Given the subsequent Munchee C&D Order, it is unclear why the SEC does not “go back” to this ICO as suggested by Senator Warner.

The founders of Brave Software launched the “Basic Attention Token” in May 2017 seeking to improve on the current digital advertising ecosystem: “Digital advertising is broken [with] unprecedented levels of malvertisements and privacy violations.” The BAT token looks to fix this broken system by creating an ecosystem tied to consumer attention – which is why it is called the “Basic Attention Token”. Such ecosystem would certainly be an upgrade from the current digital advertising scheme based on the Web ecosystem of 1995. BAT tokens can only derive long term value by way of the Brave® Browser. As set forth by a marketing blogger, “If Brave isn’t adopted, the new advertising structure won’t work.”

By successfully obtaining registered trademark No. 5,362,328 for BRAVE – a mark used to distinguish Brave Software’s “web browser software”, the founders of the BAT token demonstrate ownership rights in the Brave browser, that they are the source of such product, and that they will be the direct cause of the browser’s success. In other words, buyers of the BAT ICO would necessarily profit from the efforts of Brave Software, Inc. On the other hand, there remains utility to the BAT token. Moreover, a utility token will likely always be at least remotely tied to the efforts of its founders – there is little reason to believe a token left in the wild would hatch into anything of value. The fact that the SEC has not scrutinized the BAT ICO is actually an encouraging sign the SEC will temper its enforcement actions when faced with a disruptive blockchain initiative that begets true intrinsic value in the token.

And, to the extent state regulatory oversight may be lacking, states will try and enlarge regulatory reach by enacting new laws. For example, California introduced a year ago the Virtual Currency Act (A.B. 1123), which would have required those involved in a “virtual currency business” within the state to register with California’s Commissioner of Business Oversight. Even though this attempt at regulating cryptocurrencies died on January 31, 2018 due to political pressure, it may come back in a different from. Interestingly, there was a carve out in the bill for any “virtual currency business” when it uses “[d]igital units that are used exclusively as part of a consumer affinity or rewards program”.

Class action counsel has also impacted ICOs by directly suing ICO founders in order to recoup millions for class participants. One recent case is Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018). Plaintiff class counsel sued Paragon based, in part, on the Paragon white paper characterizing its PRG token as potentially increasing in value simply based on the reduction of supply and an increase in demand. Moreover, the paper suggests that “PRG is designed to appreciate in value as our solutions are adopted throughout the cannabis industry and around the world.” Id. at 31. In other words, the efforts of the founders would directly generate a more profitable investment result from the ICO.

The future of ICOs remains viable

Where does this trifecta of enforcement efforts – federal, state and private, leave ICOs? If bankers are to believed, there is currently not much “there”, there. In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments. Goldman’s Steve Strongin said that while he did not know a timeframe for total losses in existing coins and tokens, he ruminated: “The high correlation between the different cryptocurrencies worries me. . . Because of the lack of intrinsic value, the currencies that don’t survive will most likely trade to zero.”

Given the disruptive nature of ICOs on the IPO and private equity markets, it is not surprising that the global head of Goldman downplays the future of ICOs – even if he is correct in pointing out the lack of intrinsic value in most every utility token and coin offered in an ICO. Notwithstanding current enforcement actions and competition from traditional markets, the future for ICOs should remain viable. Moving forward, the key to a viable and “compliant” ICO will be whether the ICO is conducted for a utility token having demonstrated intrinsic value connected to the activities of those other than merely the ICO’s founders.